Massive Leak Shows How a Chinese Company Is Exporting the Great Firewall to the World

A leak of more than 100,000 documents shows that a little-known Chinese company has been quietly selling censorship systems seemingly modeled on the Great Firewall to governments around the world.

Geedge Networks, a company founded in 2018 that counts the “father” of China’s massive censorship infrastructure as one of its investors, styles itself as a network-monitoring provider, offering business-grade cybersecurity tools to “gain comprehensive visibility and minimize security risks” for its customers, the documents show. In fact, researchers found that it has been operating a sophisticated system that allows users to monitor online information, block certain websites and VPN tools, and spy on specific individuals.

Researchers who reviewed the leaked material found that the company is able to package advanced surveillance capabilities into what amounts to a commercialized version of the Great Firewall—a wholesale solution with both hardware that can be installed in any telecom data center and software operated by local government officers. The documents also discuss desired functions that the company is working on, such as cyberattack-for-hire and geofencing certain users.

According to the leaked documents, Geedge has already entered operation in Kazakhstan, Ethiopia, Pakistan, and Myanmar, as well as another unidentified country. A public job posting shows that Geedge is also looking for engineers who can travel to other countries for engineering work, including to several countries not named in the leaked documents, WIRED has found.

The files, including Jira and Confluence entries, source code, and correspondence with a Chinese academic institution, mostly involve internal technical documentation, operation logs, and communications to solve issues and add functionalities. Provided through an anonymous leak, the files were studied by a consortium of human rights and media organizations including Amnesty International, InterSecLab, Justice For Myanmar, Paper Trail Media, The Globe and Mail, the Tor Project, the Austrian newspaper Der Standard, and Follow The Money.

“This is not like lawful interception that every country does, including Western democracies,” says Marla Rivera, a technical researcher at InterSecLab, a global digital forensics research institution. In addition to mass censorship, the system allows governments to target specific individuals based on their website activities, like having visited a certain domain.

The surveillance system that Geedge is selling “gives so much power to the government that really nobody should have,” Rivera says. “This is very frightening.”

At the core of Geedge’s offering is a gateway tool called Tiangou Secure Gateway (TSG), designed to sit inside data centers and could be scaled to process the internet traffic of an entire country, documents reveal. According to researchers, every packet of internet traffic runs through it, where it can be scanned, filtered, or stopped outright. Besides monitoring the entire traffic, documents show that the system also allows setting up additional rules for specific users that it deems suspicious and collecting their network activities.

For unencrypted internet traffic, the system is able to intercept sensitive information such as website content, passwords, and email attachments, according to the leaked documents. If the content is properly encrypted through the Transport Layer Security protocol, the system uses deep packet inspection and machine learning techniques to extract metadata from the encrypted traffic and predict whether it’s going through a censorship circumvention tool like a VPN. If it can’t distinguish the content of the encrypted traffic, the system can also opt to flag it as suspicious and block it for a period of time.

One screenshot of the Geedge dashboard for Myanmar shows that the system is monitoring 81 million internet connections simultaneously, while it can theoretically be scaled even larger with more hardware, InterSecLab researchers say. Other documents show that as of February 2024, Geedge’s equipment had been installed in 26 data centers across 13 internet service providers in Myanmar. Frontiir, a local telecom operator in Myanmar, previously denied having “built, planned, or designed anything related to surveillance,” but it was found in the leak to have installed Geedge equipment at its data center. Investcom, a joint-venture telecom operator between Burmese and Lebanese companies, said it was “aware of claims relating to third-party technologies in Myanmar” but refused to “confirm or deny the existence of third-party systems” in a written reply to the researchers at Justice for Myanmar.

Geedge sells a one-stop shop of censorship solutions, including internet gateway hardware. According to InterSecLab, Geedge originally used Western brand equipment from HP and Dell, but later moved to using hardware manufactured by Chinese companies to avoid being impacted by potential sanctions.

Another fundamental product of Geedge is Cyber Narrator, the main user interface where non-technical government clients can access the data that Tiangou Secure Gateway monitors in real time with a bird’s-eye view, documents show. In screenshots of the system found in the leak, Cyber Narrator operators can see the geographic location of each mobile internet user based on their cell service communications, as well as analyze whether the user is accessing the internet through VPN services.

In the case of Myanmar, internal records reveal that Geedge identified 281 popular VPN tools, complete with their technical specifications, subscription prices, and whether they can be used in Myanmar. A separate document identified 54 apps marked as higher priority for blocking. The prioritization list of tools includes mostly popular commercial services like ExpressVPN, as well as Signal, the encrypted messaging app.

The documents show that Geedge’s technical ability is rapidly growing. “I was reading through the tests and [realized that] they went from not blocking the most of the VPNs to blocking almost all the VPNs in months,” drawing from findings of academic scholars that the company works with, says Rivera.

While the leaked documents contain no record of business contracts, it discusses the clients in cryptic code names. Researchers were able to pin down four of the foreign government clients to Kazakhstan (K18 and K24), Pakistan (P19), Ethiopia (E21), and Myanmar (M22) by combing through documents in the leak for mentions of data centers’ geographic locations, tracking international cargo records from Geedge to other countries, and drawing from prior reporting on Chinese companies’ involvement in selling censorship software. There is the additional mention of a client coded A24, but there isn’t sufficient evidence to show what it refers to.

Geedge’s public hiring efforts may provide more information on its potential expansion plans. On a third-party job recruitment platform in China, Geedge is hiring a senior overseas operations and maintenance engineer to maintain the systems in “Belt and Road countries.” The job listing says it may require spending three to six months outside China, travelling to Pakistan, Malaysia, Bahrain, Algeria, and India. Separately, in March, the company was also hiring Spanish-speaking and French-speaking translators who could support Geedge’s overseas businesses.

In Pakistan, for example, one license renewal document shows that the Geedge services, including capabilities to monitor real-time statistics and retain email information, were licensed to the Pakistan Telecommunication Authority in October 2024. Another Jira support ticket shows the example of an intercepted email, complete with the full content, subject, protocol, attachment, names of sender and receiver, and the IP addresses involved.

Researchers believe that some Geedge employees are able to access information intercepted by the client, which could be a national security risk for the client governments.

Geedge’s experience in Pakistan also shows that it’s building products on interoperable equipment to appeal to different customers. Prior to Geedge coming to Pakistan, the country had worked with Sandvine, a Canadian company that supplied deep-packet-inspection gear before withdrawing under US sanctions. When Sandvine left, its hardware remained in Pakistani data centers, according to the leak. Geedge moved in to repurpose the existing infrastructure, the documents show, offering a transition to a new regime of censorship—one that would eventually run on Chinese-manufactured hardware instead.

The company’s ability and willingness to work with the hardware left by Sandvine should pose a warning for countries issuing export licenses for sensitive technologies, says Jurre van Bergen, a technologist at the human rights nonprofit Amnesty International: “Once it's exported, it's there, and they're going to reuse it in some capacity. I think it does speak to the limits of the sanctions.”

Researchers caution that there’s no actual documentation in the leak that proves Geedge’s system is responsible for the internet censorship that took place in a particular country, but key operation changes in the Geedge technical logs correspond with notable events. In Ethiopia, for example, the system was switched from a mode that passively monitors traffic to a mode that can actively stop traffic “just days before the internet shutdown” in February 2023, says Rivera. In total, the leak shows 18 times when the Geedge gateway system in Ethiopia switched from passively monitoring to actively interfering at the expense of slowing down services.

At the same time, the Canadian VPN service Psiphon, which documents show can be targeted by Geedge’s system, has corroborated the leak’s findings that they observed user behavior changes in Myanmar that can be caused by massive blocking at the internet service provider level, around the same time Geedge was deployed there.

While Geedge Networks may be obscure outside and inside China, it has close ties with the forces that built China’s controversial filtering and blocking system, now known as the Great Firewall. When Geedge Networks was founded in 2018, it was going by a different name, Zhongdian Jizhi, showing its connection to China Electronics Corporation (CEC), a massive state-owned conglomerate with close ties to the country’s military and security services. (Zhongdian is the abbreviation of CEC in Chinese.) CEC was sanctioned by the United States government in 2020.

What also connects the two companies is Fang Binxing, a Chinese computer scientist who’s often called the “father of the Great Firewall,” as he led the early development of the censorship system. Fang’s work would essentially achieve what former US president Bill Clinton compared to nailing jell-o to the wall: controlling a technology that was designed to give everyone equal access to information. As technology develops, the Great Firewall has been built higher too, effectively blocking the majority of Chinese people from accessing information deemed not politically acceptable by the Chinese government, no matter if they are using computers, phones, or even cutting-edge technology like AI models.

In 2019, when Fang was still employed as CEC’s chief scientist, he became an investor of the company Jicheng (Hainan) Technology Investment, owning a 40 percent stake, according to Chinese corporate records databases. Jicheng is an investor in Geedge Networks and shares the same executive as the latter company. In 2024, Fang set up a new cybersecurity research studio with the help of Geedge, Chinese state media Xinhua reported.

Geedge is not only exporting Chinese censorship abroad; it is reimporting lessons learned overseas to refine repression at home, records show. Years after it had sold technologies to other countries, Geedge started targeting Chinese provincial governments too for their unique needs. First stop: Xinjiang.

The region, home to millions of Uyghur Muslims, has experienced intensive digital surveillance by the Chinese government in the past decade. Geedge’s leaked documents show that the company is collaborating with Chinese research institutions to expand monitoring systems there. A script of a speech given at the Xinjiang Branch of the Chinese Academy of Sciences in 2024, found in the leak, mentions that “the national (firewall) is evolving from a centralized to a distributed model.” Photos in the leak show that the company has invited students from the Massive and Effective Stream Analysis (Mesalab), a research laboratory at the Chinese Academy of Sciences, to visit Geedge’s server room in Xinjiang.

This provincial deployment in Xinjiang, coded as J24 in the leak, started in 2024 after an initial test program. Like in other countries, Geedge operating centers are embedded in the telecom data facilities in Xinjiang.

Meanwhile, Geedge has also operated pilot projects in two other Chinese provinces, Fujian and Jiangsu, according to the leaked records. Screenshots and other documents of these projects show the focus of the system was on detecting financial scam websites, which happens more often in China’s eastern coastal provinces.

In addition to collecting traffic information on both a wide and individual scale, the Xinjiang project was also exploring some experimental functions. A list of desirable features found in the leak shows that Geedge was aiming to update Cyber Narrator so it could construct relationship graphs between users and group individuals according to the apps they use. It also plans to triangulate the location of a user through mobile cell stations and create geofences for certain users, records show.

Another prototype feature found in the leak is described as an individual “reputation score.” Each internet user is given a baseline score of 550, and it can be increased by authenticating the user’s personal information, including the national identification, facial recognition data, and employment details. If the user’s reputation score doesn’t rise above 600, they won’t be able to access the internet.

It’s unclear whether these features have been realized and incorporated into Geedge’s surveillance systems deployed in China and abroad.

Geedge’s ongoing attempt to unearth information from individuals is particularly worrying, because the company also has the capability to inject malware into users’ internet traffic, says Lea Horne, another researcher at InterSecLab. “It makes it so much easier to find a way to target an individual. Instead of trying to guess what website they visit that doesn’t support HTTPS, you can just look at all their internet activity in the past, find a website that doesn't regularly use a secure internet connection, and inject malware into this website next time you visit,” she says. And even though some features were being tested within China, once the technology is mature, any foreign client can request the same features in their systems through a simple software update.